Email still the top vector for attackers

While more exotic forms of attack may make headlines, it turns out good old email is still the most popular vector of attack for malicious actors, according to research from HP Wolf Security, accounting for 79% of threats.

The figure is a single percentage point down from 2022’s figures but highlights issues facing email administrators. Web browser downloads also dropped by 1% to 12%, while other vectors, such as removable media, grew to 9%.

Researchers noted that while attack chains tended to be formulaic, there had been a move to threat actors connecting different components to create something more unique – and harder to detect.

According to researchers “32% of the QakBot infection chains analyzed by HP in Q2 were unique”.

QakBot spam activity surged in Q2 2023, with the malware distributors switching between many different file types to infect PCs. 

Patrick Schläpfer, Senior Malware Analyst at HP Wolf Security, told ITPro that the team had seen continuous and rapid change across various attack vectors. He gave the example of the QakBot campaigns, which showed threat actors changing their initial vector as well as techniques within the infection chain.

He also noted the impact of Microsoft’s disabling of macros by default, which has forced a diversification of attack vectors. “During 2022, we observed attackers attempting various newer techniques such as HTML smuggling, PDF lures, and also OneNote documents – which is particularly interesting as OneNote attacks do not rely on macros,” he said

Schläpfer noted that most attacks were wide-ranging rather than targeted as attackers attempted to gain a foothold in a system. He shared statistics with ITPro collected over the course of Q2 2023 that show over half (51.5%) of malicious email attachments were archives and almost a quarter (24.4%) were documents. PDFs accounted for 4.2% and executables 1.5%.

Attackers are also becoming more creative, according to the research. One recent campaign used multiple programming languages in an effort to avoid detection. The payload was encrypted using Go before switching to C++ in order to interact with the victim’s operating system before running .NET malware.

According to Schläpfer, attackers are becoming more knowledgeable about their target systems, making it easier to exploit gaps or vulnerabilities. He said: “By knowing which doors to push, they can navigate internal systems with ease, using relatively simple techniques in very effective ways – without sounding the alarm”.

With email remaining the top attack vector, the advice for administrators remains the same. Dr Ian Pratt, global head of security for personal systems at HP, commented that while attack chains might vary, the initiation methods tended to remain the same: “It inevitably comes down to the user clicking on something”. 

“Instead of trying to second guess the infection chain, organizations should isolate and contain risky activities such as opening email attachments, clicking on links, and browser downloads.”